No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I’m checking for you, but this may be a bug.

Hi <@U028KAXHK6Z>! Thanks for calling this to our attention. The reason this does not work at present is that <https://www.pulumi.com/docs/intro/pulumi-service/organization-access-tokens/#permissionsauthorization|organization tokens are granted no org admin level privileges> at this time, and <https://www.pulumi.com/docs/guides/crossguard/#policy-as-code-crossguard|publishing policy packs> requires that you are an org administrator (links here for anyone else that comes across this Slack thread and is curious).

This calls into question a clear use case for automation to have sufficient privileges to make changes to PaC, so we will evaluate if permissions changes need to be made to organization tokens to enable this. As this is a relatively new feature, we welcome the opportunity to make tweaks to it as the needs of our users become more clear, so once again thanks for your input on this!

thanks Pulumi team <@U024WPJTQ77> <@UCWG26BH7>! i will stay tune to any update about this topic. Also, as a feedback related to the crossguard feature, it would be nice if you can provide an easy way (thinking in automation processes cicd) to associate policy packs to policy groups and pulumi stacks to policy groups. I’m handling these scenarios with some config files that the cicd pipeline use to create the associations. as a proposal:

- a `Pulumi.yaml` file could have a property option to associate a pulumi project with multiple policy groups.

- a `PulumiPolicy.yaml` could have a parameter to associate that policy pack to multiple policy groups.